ENS
  August 6, 2016 - South Africa

How to Prepare for POPI, South Africa’s Privacy Law
  by Era Gunning

 

Timeline

20 August 2013: The South African National Assembly passes the Protection of Personal Information Bill [B9D of 2009] (“the Bill”) to give effect to the constitutional right to privacy.

19 November 2013: The Bill is signed into law by President Jacob Zuma and gazetted as the Protection of Personal Information Act 4 of 2013 (“POPI”).

11 April 2014: Certain provisions relating to the establishment of the Information Regulator (“the Regulator”) and the making of regulations under POPI are brought into force.

24 July 2015: Parliament calls for nominations for candidates for five positions within the Regulator.

13 April 2016: The Portfolio Committee on Justice and Correctional Services (“the Committee”) shortlists 10 candidates for positions within the Regulator.

17 May 2016: The Committee recommends that Adv. Pansy Tlakula be appointed as chairperson and four other candidates as members of the Regulator.

What’s next?

The National Assembly needs to approve the appointment of the recommended candidates. It is expected that this will happen after the local elections in August 2016. The POPI Regulations will then be published and the Act will come into force on a date to be announced by the President.

“Responsible parties” (public or private bodies or any other person which, alone or with others, determine the purpose of, and means for, processing personal information) will then have a one-year transitional period before having to comply with POPI.

The Regulator will have extensive powers, and any person alleging interference with the protection of personal information of a data subject (the person to whom the information relates) may submit a complaint.

The Regulator may then assist the parties to reach a settlement or investigate the complaint and, after considering its Enforcement Committee’s recommendations, issue an enforcement notice. Failure to comply with this notice is an offence, which may lead to a fine of up to R10-million or imprisonment for up to 10 years, or both.

Responsible parties must comply with the eight conditions for processing personal information set out in chapter 3 of POPI. In addition, certain responsible parties, such as those who process information for the purposes of credit reporting, must obtain prior authorisation from the Regulator before processing personal information. Failure to do so is an offence, punishable by a fine or imprisonment of up to 12 months, or both. Responsible parties must also appoint information officers, who must be registered with the Regulator.

What to do now?

We estimate that POPI will come into force around the last quarter of 2017. It is therefore essential that companies use the next year or so to conduct POPI audits and put POPI policies in place.

ENSafrica has a specialised POPI compliance team and the firm’s POPI Toolkit can assist companies to meet POPI's requirements. The firm also offers in-house tailored POPI workshops and information officer training courses.

Era Gunning

banking and finance senior associate

[email protected]

+27 82 788 0827




Footnotes: